Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Roman K. <ro...@un...> - 2025-10-29 14:22:27
|
Hi Sander, You’re right - in Unity, when the *ACR handling mode* is set to *fixed*, the ACR request is not sent using the acr_values parameter. Instead, Unity adds the ACR information through the *claims parameter* in the authorization request. This is intentional and aligns with the OpenID Connect Core specification, which allows two equivalent ways to request an ACR: 1. via the simple acr_values request parameter, or 2. via the richer claims parameter that supports “essential” ACR requests and more detailed semantics (see OIDC §5.5.1 <https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics> and §5.5.1.1 <https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter>). Unity uses the second form (the claims parameter) for *fixed ACR configuration*, since it provides better precision and flexibility — for example, it allows expressing essential ACR requirements. When ACR is set to *forwarded*, Unity simply forwards whatever format was present in the downstream request — that can be either acr_values or claims, depending on the client’s request. So in short: - *Fixed mode* → ACR sent inside claims (not visible as acr_values) - *Forward mode* → Unity preserves the original form (either acr_values or claims) Best regards, Roman wt., 28 paź 2025 o 08:16 Sander Apweiler <sa....@fz...> napisał(a): > Hi Krzysztof, > hi Roman, > > is the ACR forwarding to upstream OPs supported? I knowthere are > configuration options, but if we test with forwarding and even with > fixed ACR config to OP, the acr_values are not added in the > authorization call. We do not see them in our logs and also the OP does > not receive them. > > Best regards, > Sander > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
